1
0
mirror of https://github.com/moparisthebest/pacman synced 2024-12-23 00:08:50 -05:00

pacman-key: rework and document holding keys in keyring

The HoldKey option was undocumented and was not suited for pacman.conf.
Instead use the file "/etc/pacman.d/gnupg/heldkeys" to contain a list
of keys not to be removed from the pacman keyring with the --populate
option.

Signed-off-by: Allan McRae <allan@archlinux.org>
This commit is contained in:
Allan McRae 2011-08-23 16:10:06 +10:00
parent 29dede2eb7
commit e1b9f7b300
2 changed files with 11 additions and 9 deletions

View File

@ -101,12 +101,16 @@ A distribution or other repository provided may want to provide a set of valid
PGP keys used in the signing of its packages and repository databases that can PGP keys used in the signing of its packages and repository databases that can
be readily imported into the pacman keyring. This is achieved by providing a be readily imported into the pacman keyring. This is achieved by providing a
PGP keyring file `foo.gpg` that contains the keys for the foo keyring in the PGP keyring file `foo.gpg` that contains the keys for the foo keyring in the
directory +{pkgdatadir}/keyrings+. Optionally the file `foo-revoked` can be directory +{pkgdatadir}/keyrings+. Optionally the file `foo-revoked` can be
provided containing a list of revoked key IDs for that keyring. These files are provided containing a list of revoked key IDs for that keyring. These files are
required to be signed (detached) by a trusted PGP key that the user must required to be signed (detached) by a trusted PGP key that the user must
manually import to the pacman keyring. This prevents a potentially malicious manually import to the pacman keyring. This prevents a potentially malicious
repository adding keys to the pacman keyring without the users knowledge. repository adding keys to the pacman keyring without the users knowledge.
A key being marked as revoked always takes priority over the key being added to
the pacman keyring, regardless of the keyring it is provided in. To prevent a
key from being revoked when using --populate, its ID can be listed in
+{sysconfdir}/pacman.d/gnupg/holdkeys+.
See Also See Also
-------- --------

View File

@ -232,17 +232,15 @@ populate_keyring() {
fi fi
done done
# List of keys that must be kept installed, even if in the list of keys to be removed # Read list of keys that must be kept installed and remove them from the list
local HOLD_KEYS="$(get_from "$CONFIG" "HoldKeys")" # of keys to be removed
if [[ -f "${PACMAN_KEYRING_DIR}/holdkeys" ]]; then
# Remove the keys that must be kept from the set of keys that should be removed while read key; do
if [[ -n ${HOLD_KEYS} ]]; then
for key in ${HOLD_KEYS}; do
key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5)" key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5)"
if [[ -n "${removed_ids[$key_id]}" ]]; then if [[ -n "${removed_ids[$key_id]}" ]]; then
unset removed_ids[$key_id] unset removed_ids[$key_id]
fi fi
done done < "${PACMAN_KEYRING_DIR}/holdkeys"
fi fi
# Remove the keys not marked to keep # Remove the keys not marked to keep